Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
When establishing an SSL VPN tunnel connection, FortiClient can present a SAML authentication request to the end user in a web browser.
FortiClient (Windows) and (macOS) 7.0.1 and EMS 7.0.1 support this feature. FortiClient (Linux) 7.0.1 does not support this feature.
This feature is not supported when SSL VPN realms are configured. When SSL VPN realms are configured and the user provides their SAML authentication credentials in an external browser, FortiClient fails to establish the SSL VPN connection.
To configure FortiAuthenticator as the identity provider (IdP):
- In FortiAuthenticator, go to Authentication > SAML IdP > Service Providers.
- Configure a new service provider (SP) for SAML.
- Go to Authentication > User Management > Local Users.
- Create a new user.
To configure FortiGate as a SAML SP:
- In the FortiOS CLI, create a SAML user. Ensure that the SP and IdP details match the details provided by FortiAuthenticator:
config user saml
set cert "Fortinet_Factory"
set entity-id "http://192.168.230.56:4433/remote/saml/metadata/"
set single-sign-on-url "https://192.168.230.56:4433/remote/saml/login/"
set single-logout-url "https://192.168.230.56:4433/remote/saml/logout/"
set idp-entity-id "http://172.17.61.118:443/saml-idp/s6rlo1pxemulz84k/metadata/"
set idp-single-sign-on-url "https://172.17.61.118:443/saml-idp/s6rlo1pxemulz84k/login/"
set idp-single-logout-url "https://172.17.61.118:443/saml-idp/s6rlo1pxemulz84k/logout/"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha1
- Ensure that the SAML redirect port is set to 8020. SAML external browser authentication uses port 8020 by default. If another service or application is occupying this port, FortiClient displays a message showing that the SAML redirect port is unavailable.:
config vpn ssl setting
show full-configuration | grep 8020
set saml-redirect-port 8020
- Create a user group by going to User & Authentication > User Groups > Create New. Provide the required details and add the user that you created in step 1 to this group.
- Go to VPN > SSL-VPN Settings. Under Authentication/Portal Mapping, create a mapping with the user group that you created in step 3. From the Portal dropdown list, select full-access. Click OK.
- Go to Policy & Objects > Firewall Policy. Select the SSL VPN firewall policy. Ensure that the Source field includes the SAML user group.
To configure external browser for authentication in EMS:
- In EMS, go to Endpoint Profiles > Manage Profiles, and edit the desired profile.
- On the VPN tab, click Add Tunnel. Provide the correct gateway information. In Advanced Settings, enable Enable SAML Login. Configure other fields as desired. Save the tunnel.
- On the XML Configuration tab, under the
<sso_enabled>element for the tunnel, add
- Click Test XML, then save the configuration.
To test the connection in FortiClient:
- After FortiClient receives the latest configuration update from EMS, go to the Remote Access tab.
- View the tunnel to verify that the Use external browser as user-agent for saml user authentication field is enabled.
- Connect to the tunnel by clicking SAML Login. Verify that FortiClient opens your default browser to prompt for authentication. Provide your credentials and click Login to establish the connection.